For most private networks, some form of authentication is required before a client computer is allowed to access resources on the network. A client computer may be authenticated when the computer, or the user of the computer, provides authentication information, which may be based on one or more “factors.” A factor may be something possessed by the user, such as a smart card, or something known to the user, such as a password, or some attribute of the user, such as a fingerprint or eyelid reading. The number and nature of these factors required for authentication may depend on the risk of improperly granting access or likelihood that a client computer is not authorized to access the network.
Authentication information may be based directly on one or more of these factors. In other instances, authentication information may be derived indirectly from one or more of these factors. A client computer may provide one or more of these factors to a source trusted by a network administrator, which may then issue a certificate, identifying a device as a valid client. The certificate, whether alone or with other factors, may authenticate the client computer. Regardless of how the information is obtained, it may be used as part of an exchange between the client computer and an access control mechanism such that the access control mechanism only grants access if the client can be authenticated.
Various mechanisms may be employed to enforce a determination of whether to grant or deny access to a client. Typically, following an authentication process, an authorization process is performed using the authentication information together with additional parameters to determine the access rights of the specific client. The specific mechanism by which access is limited based on access rights of a client may depend on the implementation of the transport layer of the network. In general, once a client is authenticated, the transport layer will route messages to or from the client that are consistent with the access rights of that client. For devices that are not authenticated, even if physically connected to the network, the transport layer does not pass messages to or from the device.
One mechanism to enforce an access determination involves the use of a protocol called IPsec. If a client is not authenticated, the network transport layer will not form an IPsec session for the client to send and receive network communications.
One type of authentication, which is regarded as providing strong security, is a one-time-password. There are multiple technologies that enable generation of one-time-passwords, such as an electronic device tied to a clock that generates a new password at periodic intervals or a pre-printed list of passwords. Regardless of the form in which the passwords are generated, they enhance security because the passwords can be used to gain access to the network for only a limited period of time, which may be defined by a relatively short time interval or by use of the password. Therefore, even if a malicious third party gains access to the password, that third party is unlikely to be able to use the password to access the network.
Unfortunately, though IPsec is widely used for access control, many implementations do not support one-time-passwords. Forming an IPsec session may entail using an Internet Key Exchange (IKE) protocol. The widely used version 1 of the Internet Key Exchange protocol (IKEv1) does not support one-time-passwords. Though version 2 of the Internet Key Exchange protocol (IKEv2) supports one-time-passwords, IKEv2 is not widely used, particularly for remote access control for corporate networks.